Social Login access_token scopes missing

Hi Community,

I am integrating Facebook, Google and Apple as new social logins. I am already using Database Connection.

I am actually using the Authorization Code flow, so after the user has logged in with Facebook I am getting the auth code (in the callback url) and I am able to exchange it for an access_token.
With that access_token then I query the userIfo endpoint to get the UserId and consequently assign the roles/scopes this user needs to have (in this case scope:customer).

After roles have been assigned to the user, I get a refreshed access_token using the refresh toekn endpoint and return that new access_token to the FE.

The first issue I am actually facing is that scopes are not being included in the access_token, consequently, the user cannot operate against the APIs.
My second concern is that I feel I am doing the flow too complicated, is there a better way to acchieve this?


Hi @flarocca welcome back!

Since you mentioned using the Authorization Code Flow, are you using one of our SDK’s and if not can you confirm the steps you took match our recommended implementation as outlined here? I’ve also include a link to our guide on adding User login with Authorization Code Flow here.

Please review those documents, and get back to me where in that process your application seems to be breaking. To your point about scopes, are you adding custom claims that aren’t appearing in your access token, and are you executing this within a rule once the user has logged in?

Thanks for looking over my questions and documentation, hopefully this helps clarify some things.

Best Regards,

Hi @colin.coutts, I really appreciate you took the time to answer me.
I’ve posted a question in StackOverflow.

I need to be able to assign roles after the user has signed up (or logged in for the very first time) using some social provider. But this needs to happen automatically, as I am actually doing it using Database Connection.

This is the flow using Database connection:

  1. managementApiClient.Users.CreateAsync(new UserCreateRequest{…}}
  2. managementApiClient.Users.AssignRolesAsync(userId, new AssignRolesRequest { Roles = [/Customer or Provider depending on a query string parameter/] })
  3. response = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest{…});
  4. return response.AccessToken

The access token returned in step 4 contains all the scopes the user requires in order to hit the APIs

Now, using the Social Login flow, even though I am using different URL callbacks to identity Customers from Providers, and even though I am assigning the corresponding roles, they are not included in the access_token (even getting a refreshed token).
So the steps I am following are:

  1. Create the url using authenticationApiClient.BuildAuthorizationUrl() using AuthorizationResponseType.Code flow including the required scopes (offline_access, openid, scope:Customer or scope:Provider)(Each role has its own url callback)
  2. Exchange AuthCode for an access_token and refresh_token
  3. Query /userinfo endpoint to get userid
  4. managementApiClient.Users.AssignRolesAsync(userId, new AssignRolesRequest { Roles = […] })
  5. AccessTokenResponse response = await authenticationApiClient.GetTokenAsync(new RefreshTokenRequest { …}); //Pay attention here, we are refreshing the token to get the scopes applied
  6. return response.AccessToken

So, this last AccessToken does not include any of the requested scopes, in consequence, the user cannot use any of our APIs.

The workaround we found is to create a custom rule and assign their roles on the very first login. At this point we cannot distinguish between Customers from Providers.
For now, we only want social logins only for Customers. But this will break as soon as we decide to implement social login for other roles other than Customer.

Hi @colin.coutts, any news or recommendation on this?
I would really appreciate it!

Thanks a lot!

Hi @flarocca,

Nothing is jumping out to me at the moment concerning your setup. If you’re still encountering this issue, would you be able to capture a .har that you could send to me in a DM (please remove any sensitive information prior to sending)? It could be beneficial to get a .har of both your working database connection as well as this social connection so I can compare the network traces.

Once I see those I might have a better insight into why your roles aren’t populating as expected.

Colin Coutts